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ABSTRACT 



A method, using a secret key, to protect infOTmation in a 
storage disk of a con^uter, where the seaet key is derived 
from a password entered into the computer by an authorized 
user. The method begins by applying a length-increasing 
pseudorandom function to die secret key and an index to 
generate a pseudorandom bit string having a length that is a 
function of the size of a sector of the storage disk. The sector 
is associated or otherwise identified by the index used by the 
pseudorandom function to generate the pseudorandom bit 
string. The pseudorandom bit string is then used to encrypt 
and decrypt data accesses to and from the sector. 

20 Claims, 3 Diawfaig Sheets 
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METHOD TO PROTECT INFORMATION ON conq)utcr may change his or her passwoid yet still access the 

A COMPUTER STORAGE DEVICE oomputer's storage device in a secure manner. 

It is yet a further object of the invention to describe a 
This application is a continuation-in-part of prior appli- novel oon^Miter that incorporates the techniques for securing 
cation Ser. No. 08/163,054, filed Dec. 6, 1993, and assigned 5 sensitive information stored therein, 

to the assignee of this application, now U.S. Pat No. These and other objects of die invention are provided in 

S.454«039. a method, using a secret key, to protect information in a 

storage disk of a computer, where the seaet key is derived 

TECHNICAL FIELD from a password entered into the computer by an authorized 

^10 user. The method begins by applying a length-increasing 

The present mvenUon relates generally to computer data pseudwandom function to the SoTkey and an index to 

security and more particularly to a method to protect against generate a pseudorandom bit string having a length that is 

unauthOTizcd disclosure of information stored on a mass the size of a sector of the storage disk. The sector is 

storage device of a computer. associated or otherwise identified by the index used by the 

« . . ^ ,« pseudorandom function to generate the pseudorandom bit 

BACKGROUND OF THE INVENHON 1^ pseudorandom hit string is then used to encrypt 

The shrinking of con^Mrting resources has led to a new decrypt data accesses to and from the sector. Thus, afl 

and dangerous mass security threat Infonoation stored in a L'^^^L^^.'^^^^ ^Tt^J'u T'^'' f "^"^ ^ 

computer's mass storage device (e.g., a hard disk) can be ^^T^^ V""" deaypted by the pseudorandom 

QtoiMTsv rt^^ft ..f th<-^t«n..t«- iLff xh^^.ft«f w "^^^^ the disk is read. Information to be stored in 

stolen by theft of thccomputcx UsclfJThe theft of smaUcr 20 a sector is enoypted by the pseudorandom string before it is 

conq)uters such as "portables" IS a particularly urgent prohh written to the k ^ 

1cm that has not been actequately addressed Whether tfie preferably, die secret key is only maintained in die 

portable compirter is stolen for the sensiUvc data stored computer's volatile memory to thereby enable the autho- 

thCTcm or fw the haMware is often unclear from the or- to encrypt and decrypt data accesses from the 

cumstances of die theft itsdf; typically, however, the owner 25 sector during authorized use of the compute. However, 

must assume that the data will bfc compromised. when die particular computing session is ended (e.g., when 

There axe odicr known threats to sensitive information the authorized user turns the computer off or logs off) or 

stored in a computer. Under many operating systems there is interrupted (e.g., when the authorized user locks up the 

no access control or user authentication. For example, under computer or ceases to interact with the computer for a 

die DOS or OS/2 operating systems as well as With otiicr 30 Fedetermined timeout period), the secret key is erased from 

machines with access control, a so-called 'lunchtimc'' attack computer's volatile memory to prevent unauthorized 

can be quite effective. In diis sc«iario, the advffsary sneaks ^ disclosure of information in the sector, 

into an insecure or unattended area and cc^'es information ^ preferred embodiment the secret key is p-epro- 

die con^jutcr^s hard disk. The owner, of course, may transforming it into one or more tables of pscu- 

never know diat the information has been stolen. 35 ^orandom numbers. Preprocessing the secret key in this 

_ ... * . ^ . J . manner facilitates (he generation of the pseudorandom bit 

Th« is therefore a long felt need m die computer pseudorandom function once the particular 

mdustry tor methods to protect mfatnation on a coII^)utcx ^i^^^ ^j,e disk sector identification) is identified. The 

storage device against unauthorized disclosure when die tables of pseudorandom numbers provide an efBcient rep- 

computer is stolen or temporarily commandeered by unau- rescntation of die secret key to decrease flic time necessary 

thOTized individuals. *o to generate die paitiojlar pseudorandom bit string associated 

with the sector. 

BRIEF SUMMARY OF THE INVemON ^ another feature of the invention, a coniputer 

II is a principal object of die invention to protect die having a storage device is provided with a routine for 

confidentiality of information stared on a storage device of processing a password to generate a secret key. A pseudo- 

a computer, even if the computer is stolen or otherwise randomfimction uses tfie secret key and an index to generate 

accessed without the owner's consent or knowledge. * pseudorandom bit string whose length is a function of die 

T* • 1 ^ * size of a particular disk sector identified by the index. Data 

It B a tothcx object of the inyenuon to aUow any ^le disk sector and enoypted and 

computer (including, without Umitation. personal decrypted using the btt string. 

LTrpnS'''drrsS^ro;'^DA'^^^ Tl.ei«feaedn.eth<^nuiybei„,plementedonapn.gnun 

informado^tored therein such *at there I ml oTno^ Ta^L^^^Xl«^' ' 

visilaUty of the security, no special setwity features are ^^'^^ f 1?"* '^^'^ embodies ai^gram of instruc 

required of the underling hardware or op^g system, "^^^ ^^^"^^ ^ Pf!^^ Pf «^ 

andthereisUttleperformance impact on tfieoperationofthe „ J*^ forgoing has outhned some of the more pertinent 

device. — ^ «~ 35 objects of the present invention. These objects should be 

* I . t.^-, »: . J construed to be merely illustrative of some of the more 

nr^^t f^Jn^n^ ^ ^ ^ f P^""^"* and applications of the invention. Many 

!^ y 1*?** ."f^e ^er benefldal resutts ^ be attained by applying the 

a ayptographic "an^tion tha^ operates efficiently in ^^^^^.^^ ^ , or m^Tg the 

software and ftat is optumzed to faiown hi^ speed miat^ «, ^ ^ ^ ^^ed. Accordingly. <Z^objects 

^'ll^a^^i:^^*^ T "T^""*! '"''^ ? andafullerundastandingoftheinventionmaybehadby 

^^.Zt ^ ^ ■ «f«ri"8 following Detailed Description of the prl 

a s storage device. fened embodiment 

It is another object of the invention to describe a method 

for securing infonnaUon on a portable computer thai is 65 DESCRIPTION OF THE DRAWINGS 

shared by a number of authorized users, each obtaining For a more con^lete understanding of tfie present inven- 

access with his own password. Each authorized user of the tion and the advantages thereof, refoence should be made to 
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the following Detailed Desoq)tion taken in connection with HG. 2 shows a block diagiMi of toecompooents of rbt 

Z iScSiying drawingTTwhid.: P««>nal computer shown in HG. I. THe system udt 21 

T^VT^ . I • . ..».t . includes a system bus or plurality of system buses 31 to 

FIG. 1 mustrates a computer comprising a ystem umt, a J components ait co^ed id by whi* com- 

kcyboard. a mouse and a d^play. for use m jmp^ementing various wmponents is aceom- 

the method to protect infoimatton according to the ircsent pu^^ microprocessor 32 is connected to the system 

invention; bus 31 and is supported by read only memory (ROM) 33 and 

FIG. 2 is an ardiitectura] blodc diagram of the con^uter random access memoiy (RAM) 34 also couiected to system 

illustrated in FIG. 1; bus 31. A microprocessor in the IBM PS/2 series of com- 

RG 3 illustrates a portion of the computer of FIG. 1 puters is one of the Intel family of microprocessors includ- 

showing a length-increasing pseudwandom function sup- ing the 386 or 486 miooiHocessors. Other microprocessors 

Dotted in the device driver to facilitate disk encryption; indudcd, but not limited to. Motorola's famUy of micro- 

FK. 4 iUustrates a ptefcired process for generating a Focessors sudi as the MWO, 68020 or the 68030 mia^ 

J J KTrfJ!.»?on^ raoccssors and various RBC microprocessms such as ttie 

pseudorandom bit strmg; and , prr , PoweifCn. microprocessor manufactm«l by IBM, and oth- 

HG. 5 iUustt^ a porUon of « Z Zic by H«^elt Packard, Sun. Intel. Motorola and 

showmg a length-in^asiag P«"f«™>^^„^^„ others may be used in the specific computer, 

ported in the device dnver to fadUtate file enaypbon. ^ ^ contalns^ng oth» code the Basic 

DETAILED DESCRHTION Input-Ou^Nit system (BIOS) which controls basic hardware 

According to the present invenUon. a software product is ^ operations «ch as ttelnten^on an^ 

proviSdttS works under any operating system (including. " keyboard. The RAM 34 is the mam memory mtowhwhtte 

without limitatioo. DOS. OS/2, and ADO to protect aU optrating system and ^hcation prograins are loaded. The 

confidential information on a computer disk or other storage memory management chip 35 is connected to the systena bus 

media during those periods in wSd, the machine is not in 31 and controU direct meim^ ac«ss oi«adons mdu(t^^ 

use. me invenUon^tects against thieves, lunchtime ^ P^>i^i^^^^^^^f^^,^"^f^^^Z,^ 

^csL Li other inv^ons of privacy. The invention is and floppy disk drive 37.^0) ROM 42. also oou^ to 

useful on s^caUed "portables" (Le.. laptop, notebook and the system bus 31, is used to store a large amount of data, 

subnottbook computers), desktop machines (i.e.. personal e.g., a multimedia pro^ or large database, 

computers or workstations), pen-based machines, oth« Also connected to this system bus 31 are vanous VO 

handheld conmuters including personal data assistants 3^ controUcrs: die keyboard controUer 38, the mouse controUer 

("PDA's") smaitcards and the like. As used herein, "com- 39, the video controUer 40. and the audio controUer 41. TTic 

putcT in intended to have the broadest possible intcrpreta- keyboard controUer 38 provides the hardware mteif ace fw 

^^ the keyboard 22, the mouse ccmtroUer 39 provides die 

According to the invention, aU sensitive inform«ion on ^'^'^^^'^^^^''^''^^'^'''^'^^^.S^ 
ihe^pZ's storage device is stored in dphertext using a ,5 « *e hardware interface for 4e Asplay ^J^J^l^^ 
««itev such th^if the storage device or the computer controUer 41 is fte hardware mterface for the speakers 2Sa 
Sis^^t Sr^y i^«J^"«^cf cannoS -d 2St. An VO controUer 50 such as aToken ^^'^ 
Seof theinforiSminformationobtainedfromeach e.«blcs commumc^on ^ *° 

of the storage device is de<Typted. and the information other smiilarly configured data pr<«es*tog systems, 
obtained from eadi write is enoypted. Preferably, the req-l « One of the pcefenrd implemcntahons of the present 
Ssite secret key is not present 00 *e storage device; rather. invention is as a set of instructions in a code module r«id«it 
it resides in memory when the maxiiine is in use, and it in die random access memoiy 34. Until reqmred ^the 
resides nowhere in the computing system when fte machine computer system, the set of instructions nwy be stored in 
is not in use another computer memoiy. for example, to the bard disk 

MorespedficaUy.securingthecomputer'ssensltivelnfor- 45 ^' ''.^ TT'^^^!^ '''''^ f^.^^ 
matioTaKa is Lhieved by usingToyptographic object, for evei.tu.1 use in the CD ROM 42 or a in a floppy d«kte 
caUed a "length-inaeasing piudorandom function," which eventual use m the Happy disk drive 37. As s^cwTi m FIO. 
^ftincti^die secret 1^ an index that determines 2, fte operating systernW and the 
wherein the storage device the particular data is stored. The are resident m RAM 34. . ^ , «. ^ . 

result of that evaUiation is a pseudorandom bit siring that 30 According lo the invention, the contMts of the d^^ 
wUl have a length equal to the area of the storage device in storage dejvlce (such as hard disk dnve 36) are jwotectod 
which the data wfll be stored. If the storage device is a hard from unauthwized disclosure of its information through the 
disk drive the area is a "sector." Data to be stored in the use of a pseudorandom function keyed using a iBer-denvcd 
sector is tticn encrypted wiflj the pseudorandom bit string secre* and evaluated at the position of a data block witon the 
(tVDicaUy by XORing the bU string with the plaintext) to jj data storage device in order to determme a mask which is 
Sive the dphertext. which is then stored. XORed or otherwise combined wrth the data stored at that 

By way of brief badtgiound. a computa for use in location. GeneraUy. tiie invention eiivisions the use of a 
suS^J *eSn?onT>l i shownTnG. 1. THe lengthi«serrtng dpher wh«e the aphertext depends 

«S52S» comprises a system unit 21. a keyboard 22. a '''^y <>°*«P»t**^\(^';'*f '^'^h T'^^-^^^ 

mZeW and aStoy 24. Tte screen 2« of display device « but also on the Pj!^««^ * P<>«f ■» " J^.^**^^^^^ 

STus«l to preseSt ^graphical user interface (GUI). The (plaintext. f^«t^ (mdex)). ^'^'^^^'^'''^^i 

graphical user interface su^ed by the operating system use die cipher block duunmgof a «P^«;^ 
E*eusertouseapoio7andshoitmeSSofinput.Le., T?' 

by moving the mouse pointer 25 to an icon representing a stream cipher of sunflar stiuctiie and function is thus useful 

data object at a particular location on the saecn 26 and 63 in die present mventton. . . , . ^ .v 7"! 

tressing on die mouse buttons to pcrfonn a user conanand In one embodiment, the mvention is a device dnver that 

cr sdertion. transparenUy encrypts and decrypts aU accesses to and fromj 
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ttie disk 36. Id this applicatioa, the seaet key is a bit string 1 device to allow the key processing unit to distinguish correct 

that is derived from a password P„ that a usct u enters when \.and inooirect passwc^. However, preferably the password 

he or she turns his machine on. As an example, one might itself is not saved after installation, 

select a=SHA(pJ0K«, with being a 160-hit string asso- Each sector in &e range over which the user wishes tol 

ciated to usct u and stored on the machine's disk, **SHA** 3 have information information kept private is then subjected J 

refers to the Secure Hash Algorithm described in National to the following processing. When the string x at position i 

Institute of Standards. ^'Secure Hash Standard,*' Federal of the disk is read, the value f^(i) is computed by the 

Information Processing Standards Publication 180, whidi is cortq^uting system. These steps may be carried out concur- 

incoiporated herein by reference. When the operating sys- rentiy. A value y is computed by XORing or ofterwise 

tem tries to read the i-th sector from the hard disk, the data jq combining x and f^O). The value y replaces the previous 

there (i.e., a string x) is read and then decrypted by XOR-ing value x for the contents of the scaor. This conq)letes the 

it with a length-increasing pseudorandom function f^ evalu- installation of the program. 

ated at **i*' (i.e.. the sector number). As many bits of (he Later, when the user performs a machine logon or other- 
pseudorandom function are used as a sector is long. wise initiates a session with the noachine. the following 
Similarly, when ttie operating system tries to write the i-th processing takes place. The authorized user first enters a 
sector, the data to t>c written is first encrypted by XOR-ing password, and possibly a user name and other data. Again, 
with fa(l). In the event that there is mere than one disk whose information, possibly oomfained with other (non-secret) 
contents are to be encrypted, indices arc selected for each information stored in the computing system^ determines the 
disk such that no two sectors receive the same index. seact key. The secret key is then subjected to processing in 

FIG. 3 illustrates a portion of the conqjuto- of FIG. I 20 computing system to convert it into an efficient rq)re;^ 

showing the pseudorandom function suppwted in a device sentation of a cipher specialized to a, namely f^ The7 

driver to facilitate such disk encryption. As used herein, the password is verified by checking a one-way function of *Vl 

term "device driver" also includes terminate and stay- against information stwed in the computing device. If ttid 

resident programs. In this exan^e, the con^nitcr supports password is incorrect, logon is denied; otherwise, logon ir 

die device driver 76 that intercepts read or write caUs 25 ^^^^^^ ™« con^lctes the logon operation, 

directed to a mass storage device, in this case the hard disk As noted above, at some time after logoa and id response 

36 of the computer of FIG. 2. The readAvrite calls arc to a read command, the opaating system will attempt to read 

conmmnicated to the device driver 76 from the operating sector from tiie disk, where information has been 

system 78. The operating system siq)ports a login utility RO stored in encrypted form. Whoi this occurs, the software 

diat receives die password P„ that the user enters when he 30 conqjutes f„(i), which can be done quickly because the secret 

turns the cony)utcr on. The login utility hands oflF the ^ already been preproccssed into an efficient rcpre- 

password to the key processing utility S2 that generates an sentation of f^ The underlying hardware then retrieves the 

efficient representation of the secret key to enable contents of the i- sector of the disk, namely "dphertcxt" y, 

computationally-fast generation of a pseudorandom bit This operation may be concurrent with the fji) computa- 

string that is used to secure the infcmiation intended for cr 35 tion. The value y returned as a result of the read is XORed 

retreived from the sectcr. In one embodiment, the efficient'^ with f j;i) to detenoine the plaintext" x. Or, the dphertext 

representation is one or more tables of pseudorandom num- I and fJi) may be combined in some other way to determine 

bees that are then are suf^lied to die pseudorandom function j ^ 

84. Faction 84 then encrypts the disk data via the encryp- At some point in time after logon and in response to a 

tion function 86, usually an XOR. 40 command, the operating system will attempt to write 

The particular details of the preferred embodiment can contents of the i-tfi sector frcMn the disk, where infor- 

now be described in greater detail. When the usct installs the mation for this sector is to be stored in encrypted form. 

Cproduct, it queries him for a pas sword P„ and possibly a user When this occurs, the software conq>utes fg(i), and then 

name and odicr usCTcfaeck data. Infomiation dependent on computes the dphertext y which is the XOR of x and f^(i). 

the user password is then combined with (non-secr^) infor- 45 ^ these strings are otherwise combined to determine the 

'mation (e.g., a mask associated to the usct and an instance c^hcrtext. The corrqiuting system dien writes the string y to 

identification for the product) to determine a secret key, a, position at i 

for the USCT. More particularly, the mask may depend on a The efficient representation of f^. the function that pro- 
value identification (ID) stored on the machine's disk (in the duces pseudOTandom bit string for each sector index, and 
dear), where the ID is unique to each machine and may be 50 any othCT information (e.g., the secret key) useful in encrypt- 
a random numbCT or a device serial number. The mask may ing and decrypting disk accesses, is prefcraUy stored in 
depend on information stored (in the clear) on the disk and volatile memory when the machine is in use under the 
that is associated to the particular user. Or the mask may control of an authorized user. When the authorized user logs 
depend on usCT-associated check inf(Hinalion used in such a off, powers off, locks die corrqxitCT, or when a {redetermined 
way that the mask will evaluate to ''invalid'* if the entered 55 timeout occurs (e.g., a time period during which no user 
password does not recover the correct key. The secret key interaction with the machine has occurred), the efficient 
can also be genCTated using a slow-to-con^ute function. representation of f^ and such other information, is CTased. 
Such processing insures that an atiacker cannot assemble a In a preferred embodiment the inventive sdieme is 
genCTally-useful dictionary of secret keys corresponding to implemented as low-level software and, as noted above, may 
coiruQonly-selected passwords. 60 be a device driver or terminate-stay-resident progranL On a 
The secret key a is processed by the computing system to auchine like an IBM PS/1 or PS/2, which use the BIOS 
convert it into an efficient representation of a cipher spe- (Basic Ii^t Ou^ut System) for low-level disk opCTations, 
cializedtoa, namely f^. The cipher f^ is a "length-increasing the software can be latched into the interrupt diain and 
pseudorandom function*' that takes a relatively short index i associated with the interrupts that arc used to gain read and 
and maps it into a long sequence of bytes, as many bytes as 65 write access to the hard disk. 

thffe are bytes in one sector of die disk 36. A one-way^ If desired* the cnoypting software is located in a device 

function of the secret key a is installed on the mass storage^ drivCT and encryption occurs on specified partitions^ ele- 
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meats of Ac operating system that load bcforc the device prefcrod, the Icngth-increasmg pseduOTandom function is 

driver reside in a non-encrypted partition. In anotlicr appropriate to any general purpose 32-hit processor, 

embodiment, the boot secto- of the machine is modified and As noted above, the psoidorandom funOlon is a oypto- 

ali sectors, except the boot sector and the sectors containing grai^c "object" thatprcfaably maps a relatively shrat (e.g., 

r.7wvrrAi«^^«^if i.m cncrvotcd. 5 32 bits) index "T and a secret key a to an pseudorandom bit 

the algonthm Itself, are enayptcd. k ^ sequence fJi). For f to be caUed a pseudorandom function. J 

Preferably, il is desired that an audionzcd usa have Ac be iiii>ossible for die attacte, who does not fcnow^ 

ability to change his or her password, but that the hi^ «^ „ distinguish f^(i) from a random function of L To 

overhead opexation of encrypting the entire disk should be "efficient representation" of the secret icy, the key 4— 

performed only at install time and not during password pceprocessed into a tabic of pseudorandom values. ThFl 

change. This is achieved as follows. During installation as indcjL (Lc, the sector identification) and a set of values fronjj 

described above, a strong password or a sequence of ui^e- ^ i^^ie is then used to generate initial values for a plurality 

diccable bits is determined. This password or dicse bits registers. Using a fHvdctermined mixing function, die 

determine the secret key a that is used to encrypt the disk initial values of some of the registers are then modified in 

according to the function f^ part by taking a current value of a register and rq)ladng die 
When the user u types a password which leads to key aA^^ current value with a function of the <^iit value and a va^^^ 

the record (u, a. ©a)T5tor^on the disk When the user u | retrievedfromthe table, Aelatta value ^^^^^j^^^^l 

a. which is dien used to encrypt and decrypt the dist If the_^ pSlet^inSm^ function. The masked register 

user wishes to change his password from p„ to p„ , where p^ values are then concatenated into die pseudorandom bit 

m^s to key a„ and p,' maps to key a„ , all that needs to be ^ conqslctc an iteration. Subsequent iterations arc 

done is to replace tiie record (u, a, ©a) by (u, (a„ ©a)©(a„ pcrf cnned to grow the pscud<Handom bit string to a desired 

©a„')). Thereafter, the routine recovers a from a.' and (u, in this case, die length of the disk sectcff. 

a„'ea) in the same way as it recovers a from a« and (u, a„ ^ particular reference now to HG. 4, a process flow 

ea). diagram, as described in Sex, No. 08/163,054, filed Dec. 6. 

Similar processing can be used to allow multiple users to 1993^ ^pw U.S. Pat Na 5,454,039» is ^own detailing a 

share the computo*, and each user can sq)aratcly change his method for m^ing a 32-hit index ^'n^ to an L-bit string 

<K her password. When multiple users share the conqmter, it y^sSEAL^Cn) under die control of a set of tables T, R and S 

is not always necessary to have a user specify his identity u generated from a key "a." The method begins by prq»o- 

at logon time. Rathff , at logon, each reccffd (u, a„ ©a) can ccssing the key "a" into preferably three (3) taWes T, R and 

be tried and, if any record yields a.key a tiiat recovers the S. This step b cfifcctcd using a Mate Table procetoe 10 

disk contents, the user is aUowcd on end the function f^ is which receives as an iiqHit die key a. In this paihcu^ 

J^;?atoly constructed. ««nplf . the key is al6a^ string that 

TZial password processing (the function from the 35 ^ 

password p« that u^ to aj is useful ^^J^^^^ ^ pseudorandom values in the tables are specified using 

encryption agamst brute force attacks e.g an attacte who '^^^ ^ ^ ^l^^thms known in the art. TTie particular 

steab die computer and tiien has the Ome to test milhons of g^^J^i^f^ ^eal and it is envisioned feat any 

4v i.. Fpasswords. One useful approadi to firustrate such an attack pseudorandom genoator is useful for ttiis purpose. 

*^ ^ is to apply to die password p„ a slow-to-oonqnite one-way 40 pseudOTandom generator tiius may be derived from a 

^[function. The resulting data string is then used to create the ^^^^ algoritiim* a block c^cr, a stream cqAcr, and 
scaet key. Aldiough such an approach does not materially cxanq>lc, die algorithm used to generate die tablwO 
impact operating efficiency from the user's viewpoint could be based on DES, MD5, die Secure Hash A^oritfim I 
(because tiie password is processed at logon, which is (SHA)orcvcnacombinatiottctfany of the above. AccordingJ 
expected to take several seconds), it presents a significant 45 to the illustrative enibodiment, die function G is described in 
barriertoadiief who (witfiout knowledge of an amhotizcd National Institute of Standards, "Digital Signature 
user's password) must test millions of potential passwords in Standard," Federal Information Processing Standards Pub- 
order to find one diat works. If each test password must be Ucation XX Draft— Feteuary 1993, which is inccnporated 
run dirough a slow-to-conqnite function, the number of herein by reference. 

candidate passworxls diat die thief can try is aignificantiy 50 With die key "a" being a 160-bit string and i being an 

decreased, integer, 0^i<2^^ G^i) is a 16(>*it value. To construct die 

Additional security may be provided by aUowing an tables, G is re-indexed by the Make T^iWe procedure 10 to 

ai^a^rbe employed in die sleme so that a user must coi^mirt a fimction wh<^ ^^f' ^^^I^^^T^t^^^ 

icnow a password and also possess a token in order to obtain ^^^JTrfif H^S^^^ SttS^K F^vSS^s 

ac<xssto*ecomputer.Asimp^^^^^^ 55 ^^SbSS-SsS^^^^^ 

is useful for the purpose is a diskette itself, widi tiic diskette ^^^^ procedure 10 dien prefmhly defines &e tables 

for user u containing a secret k^ The user also remembers ^5 follows: 
another secret These two secrets arc canbined by any 

of several means (e.g., just XORing them) to determine die — 

key which is used as above. 60 tii] = r.<i) for all 0 S i < 5i2; 

The pseudorandom fundion used herein is optimized to ^f/^%VS^Vi) Il<^i.1?8i92l 

perform efficicntiy in software and is preferably imple- igt] i.^u^^uw «j 

mentcd on a 32-bit (or higher order) process^ of conven- 



tional design. Such processors, e.g., include die Intel 386™, Thus table T has 5 12 word entries, with each entry being 

Intel 486™ and the Pentium™ Processor, as well as 32-bit 65 32-bits in lengtitlTie entries of tables S and Rare also 32-bit 

Reduced Instruction Set Con^utcr (RISC) processors like words. Table S has 256 cotrics and table R has a variable 

the Power PC™. While these execution vehicles are length. 
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Referring back to FIG. 4, ttie tables T and R are used by Still furtiier details of preferred techniques for iiiq)lcmcnt- 

an Initialize procedure 12, which also recdves as inputs the ing the pseudorandom function are described in Ser. No. 

index "n" and a length control variable **r. The variable **r 08/163,054, filed Dec. 6, 1993, the disclosure of which 

is initially set to **(r and its upper limit will depend on the application is hereby incoiporated by reference, now U.S. 

ultimate desired length of the output streaxa The Initialize 5 No. 5,454,039. 

procedure 12 generates a set of initial values for registers (A, ^ should be iq>preciated by those skilled in the art that the 

B, C» D, n^, n^, Uj, nj. The first group of registers (A, B, C, specific embodiments disclosed above may be readily used 

D) have values &at will be modified during a particular ^ ^ .^^^ modilying or designing other routines for 

•Iteration" of the algorithm to be described, whereas the carrying out the same purposes of the present invention. One 

second group of registers (n^, n^, n^. nj have values that lo f"* enoyption, as shown in FIG. 5, which 

remain constant tfiroughout the '^itcratioa". Iht method ^"^T^Ji ^J^l^ ?^ '^"^"^ 

further implements a seTof mixing functions, M, . . . .^"^Jvl^ fimrtion supported in the file system to 

equal to 64. Each mixing fUE^on M has a conespondmg ntinbcr on many UNK file systems) and Ihe pseudorandom 

maskmg fiinaion B„ and an ^*itcration generally con^mses i5 fo^etion produces as many bits as the file is long. In tiiis 

a pair of such functtons. Thus, mixing function Mj and representative exanq)le, the files desired to be ac^ssed by 

maskmg function B^ are effected during a first iteration of the plication may reside in the local file system 88 or a 

ttie method, and so on. The sixty-four (64) iterations together jTJcmote file system 90 accessible to the local file system 88 

define a '*phase** of the algcarithm, with each phase initiated \via the communication link 92. As in FIG. 3, the login utility 

by a call to the Initialize process 12. When the particular 20 80 collects the usct's name and password and passes these 

I^iase is complete, the value of **r in incremented. to the key processing utility 82. which generates the tables 

The initial values of registers (A, B, C, D) of the first T, R and S. These tables are supplied to the pseudcvandom 

group are supplied via line 15a to the first mixing function function 84. which generates the pseudorandom hit strings 

Ml during the fint iteration. Mixing function M^ also are used by the encryption function 86 to encrypt the 

receives via line 17 the initial values of the second group erf 25 <Jata files. 

registers (n^, n^, nj, n4). As will be seen, tiie function Mj Encryption may be performed after file compression, with 

comprises a set of modification instructions which serve to decryption being done before file compression. Thus, to 

randomize tiie values ofthe registers (A, B, CD) to generate * technique compresses the file and tiien 

a set of ••pre^u^ut" values for these registers on line ISb. encrypts; ^ ? ^hJ^^i *^*1U^ decrypts and then 

The corresponding masking fiinction B, receives these pro 30 ^ f^^, ^iS?''?^^^ /T?''/'^ 5!*^ 
output values as weD as a ^ of values from table S via Une 

19. The masking function B, uses the set of values from f^^^!^^"^ ^"^^^^^"^ ^ mcID and 

rv. o */^r« ^ ^ . t vaiuw uum block number. The file systems include appropriate 

table S to the pre-output register values from the interface layers to communicat^tiie read and write^S 

conr^ponding mjxing function to generate a data string of Those skilled in the ait wiU recognize tiiat such equivalent 

psttidCHandom bits y,. 35 techniques and embodiments do not depart from the spirit 

In addition to bang si^Ued to the masking function Bj, and scope of the invention as set forth in the aM)cnded 

preferably the pre-ou^ut values of registers (A, B, C» D) on claims, 

line 15^ are also provided as inputs to the mixing function What is daimed is: 

of the next iteration, in this case My The mixing function 1, A method, using a secret key, to protect information in 

also receives via line 17 the initial values of the second 40 a storage device of a computer, the secret key being derived 

group registers (n^, nj, n3, n4). As described above, these from a passw<ad entered into the computer by an authorized 

values are initialized by tiic Initialize process 12 and remain user, comprising the steps of: 

constant throughout the phase. The initial values of die ^plying a lengtii-increasing pseudorandom function to 

second group of registers arc used to modify the pre-output the secret key and an index to generate a pseudorandom 

(or perhaps even the initial) values of the first group of 45 bit string having a length that is equal to a portion of die 

registers (firom the prior iteration) to allow the mixing storage device associated with the index; and 

function (in tiiis case Mj) to more directiy depend on using the pseudoraodom bit string to encrypt and decrypt 

information tied to the index n. The ou^ut of the mixing data accesses to and from the portion of the storage 

function Mj on Une 15c is supplied to masking function B,, device. 

which receives these pre-ou^put values as well as a next set so 2. The metiiod as described in claim 1 wherein the storage 

of values from table S via line 19. The masking function Ba device is a hard disk and the portion is a sector of the hard 

uses the set of values from table S to * Wsk** the pre*output disk. 

register values from the corresponding mixing function to 3. The method as described in claim 1 wherein the secret 

generate a data string of pseudorandom hits yj. key is stored in a volatiie memory of the computer and 

The iterations continue in this fashion. The particular data 55 vanishes under one or mo'e predetermined conditions, 

strings ou^t firom each itwation arc concatenated to grow 4. The method as described in claim 3 wherein the 

the output data stream. The table S is formatted to be of a predetermined conditions include the authorized user turn- 

sufSdent size so that one pass through the S-table values ing off the conqxiter, the authorized user logging off from 

corresponds to the sixty-four (64) iterations. As noted above, the coirputer, die authorized user locking tiie computer, or 

this cycle is a "phase.** In the event that a phase docs not €0 expiration of a |H«determined time period during which the 

produce a long enough ou^ut stream, a new phase is begin computer is not used by the authorized user, 

by a new call to the Initialize process 12 with "1** having 5. The meUiod as described in claim 1 wherein tiic stcpof 

been incremented by 1. That process then uses new R-values applying the length-Increasing pseudorandom function to 

and begins the cycle again to create new initial values for die the secret key includes die step of transforming the scact 

registers (A, B, C, D, Ui, Uj, nj, n^. The iterations of die 65 key into one or more tables of pseudorandom numbers to 

phase are then begun again. The overall process is stopped facilitate gcncratioa of the pseudorandom bit string given 

when the length of the output stream reaches a desired value. the index. 
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6. A method, using a secret key, to protect infOTiiation in 
a storage disk Of a computer, tiie secret key bang dcdvcd 
from a password entered into the computer by an authorized 
user, con^Hising the steps of: 

applying a lengdi-increaang pseudorandom function to ^ 
the secret key and an index to generate a psradorandom 
bit string having a length equal to a sector of the storage 
disk associated with the index; 

combining a data block of the infonnation with Ae 
pseudorandom bit string to genmte a dphertext; and 

storing the dirfjertcxt in <he sector to protect the data 
block against unauthorized disclosure. 

7. The method as described in daim € furtiier including 
die step of using die pseudorandom functioQ to encrypt and jj 
decrypt other stwage device accesses while the authcaized 
user is logged onto the computer. 

8. The method as described in daim 7 wherdn the other 
storage device accesses are perfonned by evaluating the 
pseudoraodom function at one or more sector indexes. ^ 

9. A method to protect information on a storage device of 
a con^>uter. conqxising the steps of: 

deriving a secret key from a password entered into the 

computer by an authorized user; 
applying a length-increasing pseudorandom function to 25 

the secret key and an index to generate a pseudorandom 

bit string having a length equal to a sector of the storage 

device associated with the index; 
encrypting a data block of the infonnation with the 

pseudorandom bit string to generate a dphertext; and ^ 
storing the c^Aertext in the sector to protect the data 

block against unauthorized disclosure. 

10. The mediod to protect information as described in 
daim 9 further induding the stq> of: 

retrieving the dphertext sterol at the physical location in 

response to a read request; and 
decrypting the dphertext with the pseudorandom bit 

string to derive the data block. 

11. The method as described in daim 9 whcrdn the secr^ 40 
key is derived from the password and otha* information 
stored in die computer. 

12. The method as described in daim 11 wherein the o&cr 
infonnation indudes a unique identifier for the computet. 

13. The method as described in daim 9 wherein a 45 
slow-to-con^te function is applied to the password prior to 
deriving the secret key. 

14. A computa, comprising: 
a storage device; 

means for processing a password entered by an authorized ^ 

user to gen^e a secret key; 
means for using die secret key and an index to generate a 

pseudorandom bit string having a predetermined 

length; and 

means for encrypting and decrypting data accesses to and 
from the storage device using toe pseudorandom bit 
string. 

15. The computer as described in claim 14 wherein the 
index is a file number identifying a file assodated with the 



35 



35 



location in the storage device, and wherein die predeter- 
mined lengdi of die pseudorandom bit string is made equal 
to the length of die file. 

16. The computer as described in daim 15 further indud- 
ing means for con^nessing and decono^essing die file, such 
that the file is con^ssed prior to encryptimi and decom- 
pressed following decryption. 

17. A method, using a secret key, to protect information on 
a computer having a disk, comprising die steps of: 

dmving a user key from a password entered into the 

computer from an authorized user; 
encrypting the secret key with die user key to generate a 
value that is stored along with information identifying 
the authorized usen 
recovering the secret key in response to subsequent entry 

of the password by die authorized user; 
flying a length-increasing pseudorandom function to 
the secret key and an index to generate a pseudorandom 
bit string having a length equal to a sector of the disk 
associated with the index; and 
using the pseudorandom bit string to encrypt and decrypt 

data accesses to and firom the sector. 
IS. The method as described in daim 17 further inchiding 
the step of replacing the value with a second value associ- 
ated with a second password of the authorized user. 

19, A methods using a secret key shared by a plurality of 
audiorized users, to protect information on a conqMiter 
having a disk, comprising the steps of: 

for each authwized user of the computer, deriving a user 
key from the authorized user's password and encrypt- 
ing die secret key with die user key to generate a value 
that is then stored along with an identifier for die user; 
recovering the secret key in re^nse to subsequent entry 

of a password from one of the authorized users; 
Inlying a lengdi-increasing pseudorandom function to 
the secret key and an index to generate a pseudorandom 
bit string having a length equal to a sector of the disk 
assodated with the index; and 
using the pseudorandom bit string to encrypt and decrypt 
data accesses to and from the sector. 

20. An artide of manufacture, compriring: 
a coDq>uter-readable storage medium having a substrate; 

and 

computer program data encoded in the substrate of the 
computer-readable storage medium, wherein the com- 
puter program data comprises: 
means for a{^lying a length-increasing pseudorandom 
function to a secret key and an index to generate a 
pseudcrandom bit string having a lengdi equal to a 
sector of the storage disk associated with the index; and 
means for using the pseudorandom bit string to enoypt 
data accesses to the sector of the storage disk and to 
decrypt data accesses from the sector of the storage 
disk. 
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